| CVE-2026-35569 |
high |
8.7 |
8.7 |
|
|
|
1mo ago |
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS |
| CVE-2026-45011 |
high |
— |
8.0 |
|
|
|
15d ago |
Apostrophe has stored XSS via javascript: URL in Image Widget Link |
| CVE-2026-45013 |
high |
— |
8.0 |
|
|
|
15d ago |
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation |
| CVE-2026-45012 |
high |
— |
8.0 |
|
|
|
15d ago |
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget |
| CVE-2026-39857 |
unknown |
— |
— |
|
|
|
1mo ago |
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions |
| CVE-2026-33889 |
unknown |
— |
— |
|
|
|
1mo ago |
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context |
| CVE-2026-33888 |
unknown |
— |
— |
|
|
|
1mo ago |
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API |
| CVE-2026-33877 |
unknown |
— |
— |
|
|
|
1mo ago |
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint |
| CVE-2026-32730 |
unknown |
— |
— |
|
|
|
2mo ago |
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware |
| CVE-2021-25979 |
unknown |
— |
— |
|
|
|
5y ago |
Apostrophe CMS Insufficient Session Expiration vulnerability |
| CVE-2021-25978 |
unknown |
— |
— |
|
|
|
5y ago |
Cross-site Scripting in apostrophe |